Applocker is a part of Windows 7/8 Enterprise. It allows an entire organization to eliminate malware. It is seriously that powerful! It works by whitelisting, or allowing, a specific set of trusted executables to run. Once setup, AppLocker is easy to manage. However, if an untrusted executable is ran, you still have to search the event log to gather the AppLocker Errors.

To get a picture of how ugly that event log is, here is a screenshot:

Now imagine opening up the event log for multiple machines! Not fun at all! To help aggregate these logs, we are going to use PowerShell!

Storing the AppLocker Errors

We start by prompting for a computer and storing it in the $Computers variable. Next, we overwrite that variable by running the Get-QADComputer command. This allows us to search for something like GAMCN and return every computer matching that syntax.

Next, we run a foreach to cycle through all of the computers stored in $Computers. We create a new variable named $ids and store the USERID information for any applocker error. Because that USERID is the object sid of the user, we use the new-object command (plus translate) to change that object sid to a standard user name.

Finally, we append to the $Errors variable a list of all applocker errors and include our now translated USERID. Here is a screenshot of our final result: